diff options
author | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
---|---|---|
committer | Matt A. Tobin <mattatobin@localhost.localdomain> | 2018-02-02 04:16:08 -0500 |
commit | 5f8de423f190bbb79a62f804151bc24824fa32d8 (patch) | |
tree | 10027f336435511475e392454359edea8e25895d /security/sandbox/linux/SandboxBrokerClient.cpp | |
parent | 49ee0794b5d912db1f95dce6eb52d781dc210db5 (diff) | |
download | UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.gz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.lz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.tar.xz UXP-5f8de423f190bbb79a62f804151bc24824fa32d8.zip |
Add m-esr52 at 52.6.0
Diffstat (limited to 'security/sandbox/linux/SandboxBrokerClient.cpp')
-rw-r--r-- | security/sandbox/linux/SandboxBrokerClient.cpp | 247 |
1 files changed, 247 insertions, 0 deletions
diff --git a/security/sandbox/linux/SandboxBrokerClient.cpp b/security/sandbox/linux/SandboxBrokerClient.cpp new file mode 100644 index 000000000..68744ad02 --- /dev/null +++ b/security/sandbox/linux/SandboxBrokerClient.cpp @@ -0,0 +1,247 @@ +/* -*- Mode: C++; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 2 -*- */ +/* vim: set ts=8 sts=2 et sw=2 tw=80: */ +/* This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this file, + * You can obtain one at http://mozilla.org/MPL/2.0/. */ + +#include "SandboxBrokerClient.h" +#include "SandboxInfo.h" +#include "SandboxLogging.h" + +#include <errno.h> +#include <fcntl.h> +#include <stdio.h> +#include <string.h> +#include <sys/socket.h> +#include <sys/stat.h> +#include <sys/types.h> +#include <unistd.h> + +#include "mozilla/Assertions.h" +#include "mozilla/NullPtr.h" +#include "base/strings/safe_sprintf.h" + +namespace mozilla { + +SandboxBrokerClient::SandboxBrokerClient(int aFd) +: mFileDesc(aFd) +{ +} + +SandboxBrokerClient::~SandboxBrokerClient() +{ + close(mFileDesc); +} + +int +SandboxBrokerClient::DoCall(const Request* aReq, const char* aPath, + const char* aPath2, void* aResponseBuff, + bool expectFd) +{ + // Remap /proc/self to the actual pid, so that the broker can open + // it. This happens here instead of in the broker to follow the + // principle of least privilege and keep the broker as simple as + // possible. (Note: when pid namespaces happen, this will also need + // to remap the inner pid to the outer pid.) + // We only remap the first path. + static const char kProcSelf[] = "/proc/self/"; + static const size_t kProcSelfLen = sizeof(kProcSelf) - 1; + const char* path = aPath; + // This buffer just needs to be large enough for any such path that + // the policy would actually allow. sizeof("/proc/2147483647/") == 18. + char rewrittenPath[64]; + if (strncmp(aPath, kProcSelf, kProcSelfLen) == 0) { + ssize_t len = + base::strings::SafeSPrintf(rewrittenPath, "/proc/%d/%s", + getpid(), aPath + kProcSelfLen); + if (static_cast<size_t>(len) < sizeof(rewrittenPath)) { + if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) { + SANDBOX_LOG_ERROR("rewriting %s -> %s", aPath, rewrittenPath); + } + path = rewrittenPath; + } else { + SANDBOX_LOG_ERROR("not rewriting unexpectedly long path %s", aPath); + } + } + + struct iovec ios[3]; + int respFds[2]; + + // Set up iovecs for request + path. + ios[0].iov_base = const_cast<Request*>(aReq); + ios[0].iov_len = sizeof(*aReq); + ios[1].iov_base = const_cast<char*>(path); + ios[1].iov_len = strlen(path) + 1; + if (aPath2 != nullptr) { + ios[2].iov_base = const_cast<char*>(aPath2); + ios[2].iov_len = strlen(aPath2) + 1; + } else { + ios[2].iov_base = 0; + ios[2].iov_len = 0; + } + if (ios[1].iov_len > kMaxPathLen) { + return -ENAMETOOLONG; + } + if (ios[2].iov_len > kMaxPathLen) { + return -ENAMETOOLONG; + } + + // Create response socket and send request. + if (socketpair(AF_UNIX, SOCK_SEQPACKET, 0, respFds) < 0) { + return -errno; + } + const ssize_t sent = SendWithFd(mFileDesc, ios, 3, respFds[1]); + const int sendErrno = errno; + MOZ_ASSERT(sent < 0 || + static_cast<size_t>(sent) == ios[0].iov_len + + ios[1].iov_len + + ios[2].iov_len); + close(respFds[1]); + if (sent < 0) { + close(respFds[0]); + return -sendErrno; + } + + // Set up iovecs for response. + Response resp; + ios[0].iov_base = &resp; + ios[0].iov_len = sizeof(resp); + if (aResponseBuff) { + ios[1].iov_base = aResponseBuff; + ios[1].iov_len = aReq->mBufSize; + } else { + ios[1].iov_base = nullptr; + ios[1].iov_len = 0; + } + + // Wait for response and return appropriately. + int openedFd = -1; + const ssize_t recvd = RecvWithFd(respFds[0], ios, aResponseBuff ? 2 : 1, + expectFd ? &openedFd : nullptr); + const int recvErrno = errno; + close(respFds[0]); + if (recvd < 0) { + return -recvErrno; + } + if (recvd == 0) { + SANDBOX_LOG_ERROR("Unexpected EOF, op %d flags 0%o path %s", + aReq->mOp, aReq->mFlags, path); + return -EIO; + } + MOZ_ASSERT(static_cast<size_t>(recvd) <= ios[0].iov_len + ios[1].iov_len); + // Some calls such as readlink return a size if successful + if (resp.mError >= 0) { + // Success! + if (expectFd) { + MOZ_ASSERT(openedFd >= 0); + return openedFd; + } + return resp.mError; + } + if (SandboxInfo::Get().Test(SandboxInfo::kVerbose)) { + // Keep in mind that "rejected" files can include ones that don't + // actually exist, if it's something that's optional or part of a + // search path (e.g., shared libraries). In those cases, this + // error message is expected. + SANDBOX_LOG_ERROR("Rejected errno %d op %d flags 0%o path %s", + resp.mError, aReq->mOp, aReq->mFlags, path); + } + if (openedFd >= 0) { + close(openedFd); + } + return resp.mError; +} + +int +SandboxBrokerClient::Open(const char* aPath, int aFlags) +{ + Request req = { SANDBOX_FILE_OPEN, aFlags, 0 }; + int maybeFd = DoCall(&req, aPath, nullptr, nullptr, true); + if (maybeFd >= 0) { + // NSPR has opinions about file flags. Fix O_CLOEXEC. + if ((aFlags & O_CLOEXEC) == 0) { + fcntl(maybeFd, F_SETFD, 0); + } + } + return maybeFd; +} + +int +SandboxBrokerClient::Access(const char* aPath, int aMode) +{ + Request req = { SANDBOX_FILE_ACCESS, aMode, 0 }; + return DoCall(&req, aPath, nullptr, nullptr, false); +} + +int +SandboxBrokerClient::Stat(const char* aPath, statstruct* aStat) +{ + Request req = { SANDBOX_FILE_STAT, 0, sizeof(statstruct) }; + return DoCall(&req, aPath, nullptr, (void*)aStat, false); +} + +int +SandboxBrokerClient::LStat(const char* aPath, statstruct* aStat) +{ + Request req = { SANDBOX_FILE_STAT, O_NOFOLLOW, sizeof(statstruct) }; + return DoCall(&req, aPath, nullptr, (void*)aStat, false); +} + +int +SandboxBrokerClient::Chmod(const char* aPath, int aMode) +{ + Request req = {SANDBOX_FILE_CHMOD, aMode, 0}; + return DoCall(&req, aPath, nullptr, nullptr, false); +} + +int +SandboxBrokerClient::Link(const char* aOldPath, const char* aNewPath) +{ + Request req = {SANDBOX_FILE_LINK, 0, 0}; + return DoCall(&req, aOldPath, aNewPath, nullptr, false); +} + +int +SandboxBrokerClient::Symlink(const char* aOldPath, const char* aNewPath) +{ + Request req = {SANDBOX_FILE_SYMLINK, 0, 0}; + return DoCall(&req, aOldPath, aNewPath, nullptr, false); +} + +int +SandboxBrokerClient::Rename(const char* aOldPath, const char* aNewPath) +{ + Request req = {SANDBOX_FILE_RENAME, 0, 0}; + return DoCall(&req, aOldPath, aNewPath, nullptr, false); +} + +int +SandboxBrokerClient::Mkdir(const char* aPath, int aMode) +{ + Request req = {SANDBOX_FILE_MKDIR, aMode, 0}; + return DoCall(&req, aPath, nullptr, nullptr, false); +} + +int +SandboxBrokerClient::Unlink(const char* aPath) +{ + Request req = {SANDBOX_FILE_UNLINK, 0, 0}; + return DoCall(&req, aPath, nullptr, nullptr, false); +} + +int +SandboxBrokerClient::Rmdir(const char* aPath) +{ + Request req = {SANDBOX_FILE_RMDIR, 0, 0}; + return DoCall(&req, aPath, nullptr, nullptr, false); +} + +int +SandboxBrokerClient::Readlink(const char* aPath, void* aBuff, size_t aSize) +{ + Request req = {SANDBOX_FILE_READLINK, 0, aSize}; + return DoCall(&req, aPath, nullptr, aBuff, false); +} + +} // namespace mozilla + |